Ethical Hacking News
A critical vulnerability has been discovered in Salesforce Agentforce, which exposes CRM data via AI prompt injection. The patch addresses a CVSS score of 9.4 and emphasizes the importance of proactive AI security measures.
Salesforce has announced a patch to address the ForcedLeak vulnerability, which allows attackers to exfiltrate sensitive data from its CRM tool. The vulnerability has a CVSS score of 9.4 and was discovered by Noma Security on July 28, 2025. The issue is related to Salesforce Agentforce, a platform for building AI agents with Web-to-Lead functionality enabled. Attackers can exploit weaknesses in context validation, model behavior, and CSP bypass to execute unauthorized commands and leak sensitive data. Salesforce has rolled out patches and recommends users audit lead data, implement input validation, and sanitize data from untrusted sources.
Salesforce has recently announced a critical patch to address a severe vulnerability known as ForcedLeak, which allows attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection. The vulnerability has been codenamed ForcedLeak and is estimated to have a CVSS score of 9.4. This highlights the importance of proactive AI security and governance in protecting sensitive data.
ForcedLeak was discovered and reported by Noma Security, a cybersecurity research firm that identified the issue on July 28, 2025. According to Sasi Levi, security research lead at Noma, this vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems. "The ForcedLeak vulnerability highlights the importance of proactive AI security and governance," said Levi. "It serves as a strong reminder that even a low-cost discovery can prevent millions in potential breach damages."
The vulnerability is related to Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, which has the Web-to-Lead functionality enabled. When an attacker submits a malicious description with a hidden instruction through a Web-to-Lead form, internal employees process it using standard AI queries and execute both legitimate and hidden instructions. This ultimately leads to sensitive data being transmitted to a Salesforce-related allowlisted domain that had expired and become available for purchase.
"By exploiting weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass, attackers can create malicious Web-to-Lead submissions that execute unauthorized commands when processed by Agentforce," Noma said. "The LLM, operating as a straightforward execution engine, lacked the ability to distinguish between legitimate data loaded into its context and malicious instructions that should only be executed from trusted sources, resulting in critical sensitive data leakage."
Salesforce has rolled out patches to address the vulnerability and will enforce the Trusted URL allowlist mechanism to ensure no malicious links are called or generated through potential prompt injection. In addition, users are recommended to audit existing lead data for suspicious submissions containing unusual instructions, implement strict input validation to detect possible prompt injection, and sanitize data from untrusted sources.
"The LLM's lack of a robust system to filter out potentially dangerous content presents a significant risk," said Itay Ravia, head of Aim Labs. "ForcedLeak is a variant of the EchoLeak attack but specifically geared towards Salesforce. Other agent platforms are also susceptible due to poor understanding of dependencies and the need for guardrails."
The discovery of ForcedLeak highlights the increasing importance of proactive AI security measures in protecting sensitive data from potential breaches. As AI systems become more prevalent, it is crucial that organizations implement robust security protocols to prevent vulnerabilities like ForcedLeak.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-Salesforce-Agentforce-Exposes-CRM-Data-via-AI-Prompt-Injection-ehn.shtml
Published: Fri Sep 26 08:58:02 2025 by llama3.2 3B Q4_K_M
